eke210 260 examcollection securitytut com 231q + ASDM sim 21 02 2017 kho tài liệu bách khoa

First, the device will have temporary network access between the time MAB succeeds andIEEE 802.1X authentication fails.. Source: https://en.wikipedia.org/wiki/Hairpinning QUESTION 30 Wha

210-260.examcollection.securitytut.com.231q + ASDM sim 2121-feb-2017

+ eke210-260.examcollection.premium.exam.179Q & 31 + 14 new q&a.vce

+ Brad's blog : https://quicktopic.com/52/H/eriUSvUbtanYY

+ reviewed and corrected some of Brad's Answers which I wrote wrong

+ Q160: added a link to the explanation

The NIST's definition of cloud computing defines the service models as follows:[2]

+ Software as a Service (SaaS) The capability provided to the consumer is to use the provider’s applicationsrunning on a cloud infrastructure The applications are accessible from various client devices through either athin client interface, such as a web browser (e.g., web-based email), or a program interface The consumerdoes not manage or control the underlying cloud infrastructure including network, servers, operating systems,storage, or even individual application capabilities, with the possible exception of limited user-specific

application configuration settings

+ Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud

infrastructure consumer-created or acquired applications created using programming languages, libraries,services, and tools supported by the provider The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, or storage, but has control over the deployedapplications and possibly configuration settings for the application-hosting environment

+ Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing,

storage, networks, and other fundamental computing resources where the consumer is able to deploy and runarbitrary software, which can include operating systems and applications The consumer does not manage orcontrol the underlying cloud infrastructure but has control over operating systems, storage, and deployedapplications; and possibly limited control of select networking components (e.g., host firewalls)

Source: https://en.wikipedia.org/wiki/Cloud_computing#Service_models

QUESTION 2

In which two situations should you use out-of-band management? (Choose two.)

A when a network device fails to forward packets

B when you require ROMMON access

C when management applications need concurrent access to the device

Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html

QUESTION 3

In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)

A TACACS uses TCP to communicate with the NAS

B TACACS can encrypt the entire packet that is sent to the NAS

C TACACS supports per-command authorization

D TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted

E TACACS uses UDP to communicate with the NAS

F TACACS encrypts only the password field in an authentication packet

Correct Answer: ABC

An example of a default ACL on a campus access layer switch is shown below:

Extended IP access list ACL-DEFAULT

10 permit udp any eq bootpc any eq bootps log (2604 matches)

20 permit udp any host 10.230.1.45 eq domain

30 permit icmp any any

40 permit udp any any eq tftp

50 deny ip any any log (40 matches)

As seen from the output above, ACL-DEFAULT allows DHCP, DNS, ICMP, and TFTP traffic and denies

everything else

Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Wired.html

MAB is an access control technique that Cisco provides and it is called MAC Authentication Bypass

+ Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm

+ AES in the Galois/Counter Mode (GCM) of operation

+ ECC Digital Signature Algorithm

+ SHA-256, SHA-384, and SHA-512

Source: Cisco Official Certification Guide, Next-Generation Encryption Protocols, p.97

QUESTION 6

Which three ESP fields can be encrypted during transmission? (Choose three.)

A Security Parameter Index

B Sequence Number

C MAC Address

The packet begins with two 4-byte fields (Security Parameters Index (SPI) and Sequence Number) Followingthese fields is the Payload Data, which has substructure that depends on the choice of encryption algorithm andmode, and on the use of TFC padding, which is examined in more detail later Following the Payload Data are

Padding and Pad Length fields, and the Next Header field The optional Integrity Check Value (ICV) field

completes the packet

These are the three different types of authentication supported by OSPF

+ Null Authentication—This is also called Type 0 and it means no authentication information is included in thepacket header It is the default

+ Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords.

+ MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords.

Source: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html

For example, you can specify that management traffic, such as SSH/HTTPS/SSL and so on, can be

ratelimited (policed) down to a specific level or dropped completely

Another way to think of this is as applying quality of service (QoS) to the valid management traffic and policing

to the bogus management traffic

Source: Cisco Official Certification Guide, Table 10-3 Three Ways to Secure the Control Plane, p.269

QUESTION 10

Which two statements about stateless firewalls are true? (Choose two.)

A They compare the 5-tuple of each incoming packet against configurable rules

B They cannot track connections

C They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS

D Cisco IOS cannot implement them because the platform is stateful by nature

E The Cisco ASA is implicitly stateless because it blocks all traffic by default

In stateless inspection, the firewall inspects a packet to determine the 5-tuple—source and destination IP

addresses and ports, and protocol—information contained in the packet This static information is then

compared against configurable rules to determine whether to allow or drop the packet.

In stateless inspection the firewall examines each packet individually, it is unaware of the packets that havepassed through before it, and has no way of knowing if any given packet is part of an existing connection, is

C It can generate alerts based on behavior at the desktop level.

D It can be deployed at the perimeter

E It uses signature-based policies

F It works with deployed firewalls

Correct Answer: ABC

Section: (none)

Explanation

Explanation/Reference:

BD

If the network traffic stream is encrypted, HIPS has access to the traffic in unencrypted form.

HIPS can combine the best features of antivirus, behavioral analysis, signature filters, network firewalls, andapplication firewalls in one package

Host-based IPS operates by detecting attacks that occur on a host on which it is installed HIPS works byintercepting operating system and application calls, securing the operating system and application

configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspiciousactivity

D request block connection

E request block host

In promiscuous mode, packets do not flow through the sensor The disadvantage of operating in

promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target

for certain types of attacks, such as atomic attacks (single-packet attacks) The response actions implemented

by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack.

Source: http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/

cli_interfaces.html

QUESTION 13

When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?

A Deny the connection inline

B Perform a Layer 6 reset

C Deploy an antimalware system

D Enable bypass mode

numbers), which could still be permitted through the inline IPS.

Available only if the sensor is configured as an IPS

Source: Cisco Official Certification Guide, Table 17-4 Possible Sensor Responses to Detected Attacks, p.465

QUESTION 14

What is an advantage of implementing a Trusted Platform Module for disk encryption?

A It provides hardware authentication

B It allows the hard disk to be transferred to another device without requiring re-encryption.dis

C It supports a more complex encryption algorithm than other disk-encryption technologies

D It can protect against single points of failure

Software can use a Trusted Platform Module to authenticate hardware devices Since each TPM chip has a

unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication.Source: https://en.wikipedia.org/wiki/Trusted_Platform_Module#Disk_encryption

QUESTION 15

What is the purpose of the Integrity component of the CIA triad?

A to ensure that only authorized parties can modify data

B to determine whether data is relevant

C to create a process for accessing data

D to ensure that only authorized parties can view data

Correct Answer: A

QUESTION 16

In a security context, which action can you take to address compliance?

A Implement rules to prevent a vulnerability

B Correct or counteract a vulnerability

C Reduce the severity of a vulnerability

D Follow directions from the security appliance manufacturer to remediate a vulnerability

Which type of secure connectivity does an extranet provide?

A other company networks to your company network

B remote branch offices to your company network

C your company network to the Internet

D new networks to your company network

What is an Extranet? In the simplest terms possible, an extranet is a type of network that crosses

organizational boundaries, giving outsiders access to information and resources stored inside the organization'sinternal network (Loshin, p 14)

attack a target system

Source: Cisco Official Certification Guide, Table 1-6 Additional Attack Methods, p.16

QUESTION 19

What type of security support is provided by the Open Web Application Security Project?

A Education about common Web site vulnerabilities

B A Web site security framework

C A security discussion forum for Web site developers

D Scoring of common vulnerabilities and exposures

individuals and organizations are able to make informed decisions OWASP is in a unique position to

provide impartial, practical information about AppSec to individuals, corporations, universities, governmentagencies and other organizations worldwide

Refer to the exhibit.

How many times was a read-only string used to attempt a write operation?

that community

Source: http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_16.html

QUESTION 23

Refer to the exhibit

Which statement about the device time is true?

A The time is authoritative, but the NTP process has lost contact with its servers

B The time is authoritative because the clock is in sync

C The clock is out of sync

Remember: The [.] at the beginning of the time tells us the NTP process has last contact with its servers We

know the time is authoritative because there would be a [*] at the beginning if not

QUESTION 24

How does the Cisco ASA use Active Directory to authorize VPN users?

A It queries the Active Directory server for a specific attribute for the specified user

B It sends the username and password to retrieve an ACCEPT or REJECT message from the Active

Directory server

C It downloads and stores the Active Directory database to query for future authorization requests

D It redirects requests to the Active Directory server defined for the VPN group

Correct Answer: A

Section: (none)

Explanation

VPN user are correct and the tunnel negotiation will move to the Phase 2.

Source: authentication-on-asa.html

http://www.networkworld.com/article/2228531/cisco-subnet/using-your-active-directory-for-vpn-QUESTION 25

Which statement about Cisco ACS authentication and authorization is true?

A ACS servers can be clustered to provide scalability

B ACS can query multiple Active Directory domains

C ACS uses TACACS to proxy other authentication servers

D ACS can use only one authorization profile to allow or deny requests

Source: ADIntegration/guide/Active_Directory_Integration_in_ACS_5-8.pdf

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/ACS-+ You can define multiple authorization profiles as a network access policy result In this way, you maintain asmaller number of authorization profiles, because you can use the authorization profiles in combination as ruleresults, rather than maintaining all the combinations themselves in individual profiles So D is not correct+ ACS 5.1 can function both as a RADIUS and RADIUS proxy server When it acts as a proxy server, ACSreceives authentication and accounting requests from the NAS and forwards the requests to the externalRADIUS server So C is nor correct

Source: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-1/user/guide/acsuserguide/policy_mod.html

QUESTION 26

Refer to the exhibit

If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how willthe switch respond?

A The supplicant will fail to advance beyond the webauth method

B The switch will cycle through the configured authentication methods indefinitely

C The authentication attempt will time out and the switch will place the port into the unauthorized state

D The authentication attempt will time out and the switch will place the port into VLAN 101

Case 2: Order MAB Dot1x and Priority Dot1x MAB

If you change the order so that MAB comes before IEEE 802.1X authentication and change the default priority

so that IEEE 802.1X authentication precedes MAB, then every device in the network will still be subject to MAB,but devices that pass MAB can subsequently go through IEEE 802.1X authentication

Special consideration must be paid to what happens if a device fails IEEE 802.1X authentication after

successful MAB First, the device will have temporary network access between the time MAB succeeds andIEEE 802.1X authentication fails What happens next depends on the configured event-fail behavior

If next-method is configured and a third authentication method (such as WebAuth) is not enabled, then theswitch will return to the first method (MAB) after the held period MAB will succeed, and the device will againhave temporary access until and unless the supplicant tries to authenticate again

If next-method failure handling and local WebAuth are both configured after IEEE 802.1X authentication fails,local WebAuth ignores EAPoL-Start commands from the supplicant

Source: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html

"lightweight" implementation Use of server certificates is optional in EAP-FAST EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.

Source: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

QUESTION 28

What is one requirement for locking a wired or wireless device from ISE?

A The ISE agent must be installed on the device

B The device must be connected to the network when the lock command is executed

C The user must approve the locking action

D The organization must implement an acceptable use policy allowing device locking

Hairpinning is where a machine on the LAN is able to access another machine on the LAN via the external IPaddress of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate

machine on the LAN)

Source: https://en.wikipedia.org/wiki/Hairpinning

QUESTION 30

What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?

A split tunneling

Source: https://en.wikipedia.org/wiki/Split_tunneling

QUESTION 31

Refer to the exhibit

What is the effect of the given command sequence?

A It configures IKE Phase 1

B It configures a site-to-site VPN tunnel

C It configures a crypto policy with a key size of 14400

D It configures IPSec Phase 2

C It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.

D It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24

Refer to the exhibit

While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command What does the

given output show?

A IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5

B IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5

C IPSec Phase 1 is down due to a QM_IDLE state

D IPSec Phase 2 is down due to a QM_IDLE state

This is the output of the #show crypto isakmp sa command This command shows the Internet Security

Association Management Protocol (ISAKMP) security associations (SAs) built between peers - IPsec Phase1

The "established" clue comes from the state parameter QM_IDLE - this is what we want to see.

More on this

00.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-QUESTION 34

Refer to the exhibit

While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command What does the given

output show?

A IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5

B ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1

C IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5

D IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets

Refer to the exhibit

The Admin user is unable to enter configuration mode on a device with the given configuration What changecan you make to the configuration to correct the problem?

A Remove the autocommand keyword and arguments from the Username Admin privilege line

B Change the Privilege exec level value to 15

C Remove the two Username Admin lines

D Remove the Privilege exec line

autocommand: (Optional) Causes the specified command to be issued automatically after the user logs in.

When the command is complete, the session is terminated Because the command can be any length and cancontain embedded spaces, commands using the autocommand keyword must be the last option on the line

A The secure boot-image command is configured.

B The secure boot-config command is configured

C The confreg 0x24 command is configured

D The reload command was issued from ROMMON

s1.html#wp3328121947

QUESTION 37

What is the effect of the send-lifetime local 23:59:00 31 December 2013 infinite command?

A It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time

on January 1, 2014 and continue using the key indefinitely

B It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time

on December 31, 2013 and continue using the key indefinitely

C It configures the device to begin accepting the authentication key from other devices immediately and stopaccepting the key at 23:59:00 local time on December 31, 2013

D It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00local time on December 31, 2013

E It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time

on December 31, 2013 and continue accepting the key indefinitely

F It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time

on January 1, 2014 and continue accepting the key indefinitely

To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime

command in keychain-key configuration mode

send-lifetime start-time [ duration duration value | infinite | end-time ]

start-time: Start time, in hh:mm:ss day month year format, in which the key becomes valid The range is from0:0:0 to 23:59:59

infinite: (Optional) Specifies that the key never expires once it becomes valid

Source: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/b_syssec_cr42crs/b_syssec_cr41crs_chapter_0100.html#wp2198915138

QUESTION 38

What type of packet creates and performs network operations on a network device?

A control plane packets

B data plane packets

C management plane packets

D services plane packets

A The switch could offer fake DHCP addresses

B The switch could become the root bridge

C The switch could be allowed to join the VTP domain

D The switch could become a transparent bridge

If a switch receives an inferior BPDU, nothing changes Receiving a superior BPDU will kick off a

reconvergence of the STP topology So the rogue switch may become a root bridge

Source: http://www.networkpcworld.com/what-are-inferior-and-superior-bpdus-of-stp/

QUESTION 40

In what type of attack does an attacker virtually change a device's burned-in address in an attempt to

circumvent access lists and mask the device's true identity?

A gratuitous ARP

B ARP poisoning

C IP spoofing

D MAC spoofing

QUESTION 41

What command can you use to verify the binding table status?

A “show ip dhcp snooping binding”

B “show ip dhcp pool”

C “show ip dhcp source binding”

D “show ip dhcp snooping”

E “show ip dhcp snooping database”

F “show ip dhcp snooping statistics”

If not E is not the correct answer, then the answer is A However, I'm pretty sure it is E based on these twoquotes:

"Use the show ip dhcp snooping binding command in EXEC mode to display the DHCP snooping bindingdatabase and configuration information for all interfaces on a switch."

"Use the show ip dhcp snooping database command in EXEC mode to display the status of the DHCPsnooping binding database agent

BD

@Answer on securitytut.com made a valid comment on the fact that it's not asking about the database agent,

as Brad's reference, but on the status (not statistics) of the binding table

On CCNP R&S TShoot 300-135 Official Guide, page 267 it says …

Example 7-26 Verifying DHCP Snooping Bindings

SW1# show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

—————— ————– ———- ————- —- ————–

08:00:27:5D:06:D6 10.1.1.10 67720 dhcp-snooping 10 FastEthernet0/1

Total number of bindings: 1

So, what is DHCP Snooping bindings and what is the status of binding table? Aren’t they the same An if so itclearly says “verify”

QUESTION 42

If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?

A STP root guard

B EtherChannel guard

Remember: The phrase "only superior BPDUs" is the key to the correct answer BPDU guard will block a port if

*ANY* BPDU is received

BD

Root guard allows the device to participate in STP as long as the device does not try to become the root If rootguard blocks the port, subsequent recovery is automatic Recovery occurs as soon as the offending deviceceases to send superior BPDUs

Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

QUESTION 43

Which statement about a PVLAN isolated port configured on a switch is true?

A The isolated port can communicate only with the promiscuous port

B The isolated port can communicate with other isolated ports and the promiscuous port

C The isolated port can communicate only with community ports

D The isolated port can communicate only with other isolated ports

Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html

+ Simply do not put any hosts on VLAN 1 (The default VLAN)

+ Change the native VLAN on all trunk ports to an unused VLAN ID

Source: https://en.wikipedia.org/wiki/VLAN_hopping

QUESTION 45

What is a reason for an organization to deploy a personal firewall?

A To protect endpoints such as desktops from malicious activity

B To protect one virtual network segment from another

C To determine whether a host meets minimum security posture requirements

D To create a separate, non-persistent virtual environment that can be destroyed after a session

E To protect the network from DoS and syn-flood attacks

Source: Cisco Official Certification Guide, Personal Firewalls and Host Intrusion Prevention Systems , p.499

QUESTION 46

Which statement about personal firewalls is true?

A They can protect a system by denying probing requests

B They are resilient against kernel attacks

C They can protect email messages and private documents in a similar way to a VPN

D They can protect the network against attacks

+ Block or alert the user about all unauthorized inbound or outbound connection attempts

+ Allows the user to control which programs can and cannot access the local network and/or Internet andprovide the user with information about an application that makes a connection attempt

+ Hide the computer from port scans by not responding to unsolicited network traffic

+ Monitor applications that are listening for incoming connections

+ Monitor and regulate all incoming and outgoing Internet users

+ Prevent unwanted network traffic from locally installed applications

+ Provide information about the destination server with which an application is attempting to communicate+ Track recent incoming events, outgoing events, and intrusion events to see who has accessed or tried toaccess your computer

+ Personal Firewall blocks and prevents hacking attempt or attack from hackers

Source: https://en.wikipedia.org/wiki/Personal_firewall

QUESTION 47

Refer to the exhibit

What type of firewall would use the given configuration line?

20 in use, 21 most used

UDP OUTSIDE 172.16.0.100:53 INSIDE 10.10.10.2:59655, idle 0:00:06, bytes 39, flags

-QUESTION 48

What is the only permitted operation for processing multicast traffic on zone-based firewalls?

A Only control plane policing can protect the control plane against multicast traffic

Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic

So the only choice is A

Source: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

QUESTION 49

How does a zone-based firewall implementation handle traffic between interfaces in the same zone?

A Traffic between two interfaces in the same zone is allowed by default

B Traffic between interfaces in the same zone is blocked unless you configure the same-security permitcommand

C Traffic between interfaces in the same zone is always blocked

D Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair

For interfaces that are members of the same zone, all traffic is permitted by default

Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380

QUESTION 50

Which two statements about Telnet access to the ASA are true? (Choose two)

A You may VPN to the lowest security interface to telnet to an inside interface

B You must configure an AAA server to enable Telnet

C You can access all interfaces on an ASA using Telnet

D You must use the command virtual telnet to enable Telnet

E Best practice is to disable Telnet and use SSH

Which statement about communication over failover interfaces is true?

A All information that is sent over the failover and stateful failover interfaces is sent as clear text by default

B All information that is sent over the failover interface is sent as clear text, but the stateful failover link isencrypted by default

C All information that is sent over the failover and stateful failover interfaces is encrypted by default

D User names, passwords, and preshared keys are encrypted by default when they are sent over the failoverand stateful failover interfaces, but other information is sent as clear text.

communication with a failover key if you are using the security appliance to terminate VPN tunnels

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/failover.html

QUESTION 52

If a packet matches more than one class map in an individual feature type's policy map, how does the ASAhandle the packet?

A The ASA will apply the actions from only the first matching class map it finds for the feature type

B The ASA will apply the actions from only the most specific matching class map it finds for the feature type

C The ASA will apply the actions from all matching class maps it finds for the feature type

D The ASA will apply the actions from only the last matching class map it finds for the feature type

See the following information for how a packet matches class maps in a policy map for a given interface:

1 A packet can match only one class map in the policy map for each feature type

2 When the packet matches a class map for a feature type, the ASA does not attempt to match it to any subsequent class maps for that feature type.

3 If the packet matches a subsequent class map for a different feature type, however, then the ASA alsoapplies the actions for the subsequent class map, if supported See the "Incompatibility of Certain FeatureActions" section for more information about unsupported combinations

If a packet matches a class map for connection limits, and also matches a class map for an application

inspection, then both actions are applied

If a packet matches a class map for HTTP inspection, but also matches another class map that includes

C To provide redundancy and high availability within the organization.

D To enable the use of multicast routing and QoS through the firewall

Common Uses for Security Contexts

+ You are a service provider and want to sell security services to many customers By enabling multiple securitycontexts on the ASA, you can implement a cost-effective, space-saving solution that keeps all customer trafficseparate and secure, and also eases configuration

+ You are a large enterprise or a college campus and want to keep departments completely separate.

+ You are an enterprise that wants to provide distinct security policies to different departments

+ You have any network that requires more than one ASA

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_contexts.html

QUESTION 54

What is an advantage of placing an IPS on the inside of a network?

A It can provide higher throughput

B It receives traffic that has already been filtered

C It receives every inbound packet

D It can provide greater security

non-An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more

computationally expensive undertaking For that reason, we prefer to filter what gets to it with the firewall line ofdefense before engaging the IDS/IPS to analyze the traffic flow

In an even more protected environment, we would also put a first line of defense in ACLs on an edge routerbetween the firewall and the public network(s)

Source: https://supportforums.cisco.com/discussion/12428821/correct-placement-idsips-network-architecture

QUESTION 55

What is the FirePOWER impact flag used for?

A A value that indicates the potential severity of an attack

B A value that the administrator assigns to each signature

C A value that sets the priority of a signature.

D A value that measures the application awareness

Impact Flag: Choose the impact level assigned to the intrusion event

Because no operating system information is available for hosts added to the network map from NetFlow data,the system cannot assign Vulnerable (impact level 1: red) impact levels for intrusion events involving thosehosts In such cases, use the host input feature to manually set the operating system identity for the hosts Source: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Correlation_Policies.html

particular source IP address or addresses

+ excessive matches for a particular rule across all traffic

Preventing SYN Attacks

The SYN attack prevention option helps you protect your network hosts against SYN floods You can protectindividual hosts or whole networks based on the number of packets seen over a period of time If your device isdeployed passively, you can generate events If your device is placed inline, you can also drop the maliciouspackets After the timeout period elapses, if the rate condition has stopped, the event generation and packetdropping stops

Source: module-user-guide-v541/Intrusion-Threat-Detection.html

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-QUESTION 57

Which Sourcefire logging action should you choose to record the most detail about a connection?

A Enable logging at the end of the session

B Enable logging at the beginning of the session

C Enable alerts via SNMP to log events off-box

D Enable eStreamer to log events off-box

FirePOWER (former Sourcefire)

Logging the Beginning And End of Connections

When the system detects a connection, in most cases you can log it at its beginning and its end

For a single non-blocked connection, the end-of-connection event contains all of the information in the beginning-of-connection event, as well as information gathered over the duration of the session

Source: module-user-guide-v541/AC-Connection-Logging.html#15726

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-QUESTION 58

What can the SMTP preprocessor in FirePOWER normalize?

A It can extract and decode email attachments in client to server traffic

B It can look up the email sender

C It compares known threats to the email sender

D It can forward the SMTP traffic to an email filter server

E It uses the Traffic Anomaly Detector

extract and decode email attachments in client-to-server traffic and, depending on the software version, extractemail file names, addresses, and header data to provide context when displaying intrusion events triggered bySMTP traffic.

Source: module-user-guide-v541/NAP-App-Layer.html#85623

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-QUESTION 59

You want to allow all of your company's users to access the Internet without allowing other Web servers tocollect the IP addresses of individual users

What two solutions can you use? (Choose two)

A Configure a proxy server to hide users' local IP addresses

B Assign unique IP addresses to all users

C Assign the same IP address to all users

D Install a Web content filter to hide users' local IP addresses

E Configure a firewall to use Port Address Translation

In computer networks, a proxy server is a server (a computer system or an application) that acts as an

intermediary for requests from clients seeking resources from other servers.[1] A client connects to the proxyserver, requesting some service, such as a file, connection, web page, or other resource available from adifferent server and the proxy server evaluates the request as a way to simplify and control its complexity.Proxies were invented to add structure and encapsulation to distributed systems.[2] Today, most proxies areweb proxies, facilitating access to content on the World Wide Web and providing anonymity

Source: https://en.wikipedia.org/wiki/Proxy_server

Port Address Translation (PAT) is a subset of NAT, and it is still swapping out the source IP address as traffic

goes through the NAT/PAT device, except with PAT everyone does not get their own unique translated

address Instead, the PAT device keeps track of individual sessions based on port numbers and other uniqueidentifiers, and then forwards all packets using a single source IP address, which is shared This is oftenreferred to as NAT with overload; we are hiding multiple IP addresses on a single global address

Source: Cisco Official Certification Guide, Port Address Translation, p.368

QUESTION 60

You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security

Intelligence IP Address Reputation A user calls and is not able to access a certain IP address What action canyou take to allow the user access to the IP address?

Using Security Intelligence Whitelists

In addition to a blacklist, each access control policy has an associated whitelist, which you can also populatewith Security Intelligence objects A policy’s whitelist overrides its blacklist That is, the system evaluates trafficwith a whitelisted source or destination IP address using access control rules, even if the IP address is alsoblacklisted In general, use the whitelist if a blacklist is still useful, but is too broad in scope and incorrectlyblocks traffic that you want to inspect

Source: v5401/AC-Secint-Blacklisting.pdf

C Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router

D Enable URL filtering on the perimeter router and add the URLs you want to block to the router’s local URLlist

E Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router

Remember: A and B are not correct answers because you cannot use a router's URL list to filter URLs on a

firewall, and vice versa E is not correct because whitelists are used to allow websites, not block, and that is notwhat the question is asking for

Source: http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/

QUESTION 62

When is the best time to perform an antivirus signature update?

A Every time a new update is available

B When the local scanner has detected a new virus

C When a new virus is discovered in the wild

D When the system detects a browser hook

Which statement about application blocking is true?

A It blocks access to specific programs

B It blocks access to files with specific extensions

C It blocks access to specific network addresses

D It blocks access to specific network services

How do you block unknown applications on Cisco Web Security Appliance

If Application Visibility Controls (AVC) are enabled (Under GUI > Security Services > Web Reputation and

Anti-Malware), then we can block access based on application types like Proxies, File Sharing, Internet utilities.

We can do this under Web Security Manager > Access Policies > 'Applications' column <for the requiredaccess policy>

Source: 00.html

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118486-technote-wsa-Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)

QUESTION 65

Scenario

In this simulation, you have access to ASDM only Review the various ASA configurations using ASDM thenanswer the five multiple choice questions about the ASA SSLVPN configurations

To access ASDM, click the ASA icon in the topology diagram

Note: Not all ASDM functionalities are enabled in this simulation

To see all the menu options available on the left navigation pane, you may also need to un-expand the

Which user authentication method is used when users login to the Clientless SSLVPN portal using

https://209.165.201.2/test?

A AAA with LOCAL database

B AAA with RADIUS server

C Certificate

D Both Certificate and AAA with LOCAL database

E Both Certificate and AAA with RADIUS server

This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration, where the alias

of test is being used

QUESTION 66

Scenario

In this simulation, you have access to ASDM only Review the various ASA configurations using ASDM thenanswer the five multiple choice questions about the ASA SSLVPN configurations

To access ASDM, click the ASA icon in the topology diagram

Note: Not all ASDM functionalities are enabled in this simulation

To see all the menu options available on the left navigation pane, you may also need to un-expand theexpanded menu first

Which two statements regarding the ASA VPN configurations are correct? (Choose two)

A The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1

B The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method

C The Inside-SRV bookmark references the https://192.168.1.2 URL

D Only Clientless SSL VPN access is allowed with the Sales group policy

E AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface

F The Inside-SRV bookmark has not been applied to the Sales group policy

=============================For C, Navigate to the Bookmarks tab:

Then hit “edit” and you will see this:

==================================

Not A, as this is listed under the Identity Certificates, not the CA certificates: